Solved

Not able to install antivirus, hijackthis, killbox or any other tool

Posted on 2008-10-17
24
1,367 Views
Last Modified: 2012-06-27
I have some type of spyware on my computer.  The first thing is that I cannot install an Antivirus program.  I cannot run hijackthis or killbox.  I click on it and it does nothing.  A couple of things I noticed.  There is a red circle with an X in my system tray that will display a balloon stating the computer needs to download an antivirus.  If you click on it or cancel it, it tries to install XPAntivirus2009.  I also have registry entries and folders called Search assist or srchasst and inside they have .acs files.  I try to delete but says the program is in use.  Tried to install the antivirus in safe mode but no luck.  I also have an exe called facegame.  Any suggestions on how to install the antivirus to kill all the others problems?  Thanks in advance!
0
Comment
Question by:djb1011
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 5
  • 3
  • +3
24 Comments
 
LVL 22

Accepted Solution

by:
orangutang earned 150 total points
ID: 22744681
Can you send an Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) log? Or can you open Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php)
0
 
LVL 8

Assisted Solution

by:eXpeLLeD_4RM_heLL
eXpeLLeD_4RM_heLL earned 200 total points
ID: 22744742
Have you tried renaming the antivirus program and installing it thereafter.

For XP antivirus2009 the best solution is malwarebyte antimalware, you can download it from http://www.malwarebytes.org/.

Also you can download UBCD4Win from www.ubcd4win.com, use the how to guide to create a bootable CD, boot from the CD and access the antispyware tools from the CD.
If you manage to get hijackthis to run please post a log back here.

Also see if you can run online scanners such as:
housecall.trendmicro.com/
www.kaspersky.com/virusscanner
0
 
LVL 3

Expert Comment

by:omic_admin
ID: 22744842
UBCD4Win is always my favorite tool of choice in these kinds of cases-boot off the clean CD (with the fixes), not the infected HD!
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Expert Comment

by:ITS_TLH1
ID: 22745010
If those steps mentioned above do not work...You can try using the Hiren's BootCD. This is one of my favorite tools. It is a bootable CD loaded with tons of utilities to help troubleshoot and repair machines. The image is free to download and you can find more information at http://www.hiren.info/pages/bootcd.  You want to pay attention to the following tools: McAfee AV, Process Explorer, Pocket KillBox, HijackThis, RootkitRevealer, SilentRunners, Autoruns, SpyBot, Spyware Blaster, Ad-Aware and many more... You can also try creating your own BartPE CD with the specific tools of your choice loaded.

Hope that helps.
0
 

Author Comment

by:djb1011
ID: 22746073
Do you create the UBCD4win bootable cd on another computer?
0
 

Author Comment

by:djb1011
ID: 22746324
or should you create it on the computer with the virus?
0
 
LVL 32

Assisted Solution

by:willcomp
willcomp earned 150 total points
ID: 22746470
Create it on another PC.

ComboFix will remove the infection. Follow instructions at link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It may be necessary to rename ComboFix. If so, please rename it during download and not afterward.

@ ITS TLH1 ---> Hiren's Boot CD contains pirated software and recommending it on EE is prohibited.
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 22751497
Also if Combofix manages to run please post the combofix log file back here using the attach file button
0
 

Author Comment

by:djb1011
ID: 22753342
here is the hijack this log file.  I was able to run that, but that's it.
hijackthis101908.txt
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 22753574
Fix the following using HijackThis:
C:\WINDOWS\system32\wmianstd.exe
O2 - BHO: (no name) - {7E51A52E-9A0F-495F-88AB-1310E4E1FF62} - C:\WINDOWS\system32\efcDTJbc.dll
O2 - BHO: (no name) - {95F0FD92-3505-4437-9DF7-76EABE49FCC8} - (no file)
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\hgGwWMgf.dll
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat

I also see that you have managed to run it by changing the file name.

Try to run ComboFix in safe mode but also change the name during download before you run. Disable your antivirus program before running Combofix.

To startup in safe mode, restart your PC and press F8 before the windows splash screen appears. A menu should appear with Safe Mode right At the top of the menu.Press Enter and choose your OS and let windows start. Thereafter try and run ComboFix.
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 22753577
Also have you managed to run the antispyware tools located on UBCD4Win.
0
 

Author Comment

by:djb1011
ID: 22754038
I believe that I created the CD from UBCD4Win and burned the Iso file toa CD
0
 

Author Comment

by:djb1011
ID: 22754160
Per my last post.  I did run and create the UBCD4win however when I put the burned cd in the drive and start up, it gives me an option that states:  boot from ...... but it goes by too fast.  How do I know if it's booting using the cd or booting from the operating system on the hard drive?
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22754593
Removing those programs in HijackThis probably won't help much since some of them will automatically be readded. Were you able to use ComboFix, Anti-Malware, Kaspersky, or SUPERAntiSpyware?
0
 

Author Comment

by:djb1011
ID: 22754699
I just downloaded combofix and getting ready to run it.   Could the malware be the reason that I can't install antivirus from Norton?
0
 

Author Comment

by:djb1011
ID: 22754827
Combo fix has just completed and here is the log.  
combofix-log.txt
0
 

Author Comment

by:djb1011
ID: 22754874
I have also run autoruns, the file is attached.  I saved it with the arn extension but it wouldn't accept it to upload it so I renamed it with a txt extension.  I was able to run Kaspersky but it couldn't fix numerous items.
AutoRuns.arn.txt
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22754927
It's normal for AV to encounter non-deletable or non-fixable files after malware removal. Those files re in System Restore folder and/or quarantine folders that are protected and not accessible.

For now, don't worry about AV software. Install and run Malware Bytes Antimalware to finish adware/spyware removal.
0
 

Author Comment

by:djb1011
ID: 22754964
I installed and ran Malware antimalware and it found several infections.  I have attached the log.

mbam-log-2008-10-19--22-21-26-.txt
0
 
LVL 32

Expert Comment

by:willcomp
ID: 22754978
Looks like you are good to go. Before doing anything else, uninstall ComboFix --> type combofix /u in a Run box to uninstall.
0
 

Author Comment

by:djb1011
ID: 22755091
Thank you for the help in removing the malware.  I am still not able to install my Norton Antivirus end protection.  It starts the download and then it will say that the wizard got interrupted and won't completely install.  Any suggestions?
0
 

Author Comment

by:djb1011
ID: 22755239
Please disregard my last comment I was able to install the antivirus software.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 22755256
Also, send us one more HijackThis log just in case.
0
 
LVL 8

Assisted Solution

by:eXpeLLeD_4RM_heLL
eXpeLLeD_4RM_heLL earned 200 total points
ID: 22755663
Before you uninstall combofix you must
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\brastk9999.exe
C:\Documents and Settings\Stan Sanko\delself.bat
C:\Documents and Settings\Stan Sanko\xrt_jens.exe
C:\WINDOWS\system32\g50.exe
C:\WINDOWS\system32\efcBrSjh.dll
C:\WINDOWS\system32\prun.exe

Folder::
C:\Documents and Settings\All Users\Application Data\xcbepyfg
C:\WINDOWS\U3RhbiBTYW5rbw
C:\WINDOWS\system32\WS
C:\WINDOWS\system32\pi
C:\WINDOWS\system32\nys3
C:\WINDOWS\system32\mco2
C:\WINDOWS\system32\EV19

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Once this is complete you can uninstall combofix as mentioned previously.
And one HJT log will do as well.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question